Hi Splunk Masters,
Currently stomped and couldn't find the solution through the forums.
I have to chart the values from this particular column that his 50 different instances that change per different input in the dropdown (kindly refer to the code and screenshots for reference).
Currently searching for a way to rename the values in the legend so that I could pass it in a drilldown to another dashboard. Is there a way to do it for the single column?
<edit>
I would want either to rename it or add the four (4) alphanumeric characters from the dropdown plus a <space>, < - >, and <space> before the series names.
For example, when the user selects D7X0, the output on the right is what the search would produce and the one on the left is my desired outcome:
| BATPLOW | D7X0 - BATPLOW |
| BATTLOW | D7X0 - BATTLOW |
| D7X0WGHT | D7X0 - D7X0WGHT |
| DDFTMED | D7X0 - DDFTMED |
| MQDFLT | D7X0 - MQDFLT |
| STCHI | D7X0 - STCHI |
| STCLOW | D7X0 - STCLOW |
| SYSSTC | D7X0 - SYSSTC |
| SYSTEM | D7X0 - SYSTEM |
| TSOMED | D7X0 - TSOMED |
| OTHER | D7X0 - OTHER |
</edit>
Thanks
<form theme="dark">
<label>CSC/ERSC/PSI_SRVCLASS_Report</label>
<fieldset submitButton="true" autoRun="true">
<input type="dropdown" token="lpar">
<label>Select to View</label>
<choice value="-LPAR-">-LPAR-</choice>
<choice value="D7X0">D7X0</choice>
<choice value="H7X0">H7X0</choice>
<choice value="D1D0">D1D0</choice>
<choice value="DAD0">DAD0</choice>
<choice value="E1D0">E1D0</choice>
<choice value="H1D0">H1D0</choice>
<choice value="WSYS">WSYS</choice>
<choice value="YSYS">YSYS</choice>
<default>-LPAR-</default>
</input>
<input type="text" token="from">
<label>From MM/DD/YYYY</label>
<default>01/01/2022</default>
</input>
<input type="text" token="to">
<label>To MM/DD/YYYY</label>
<default>01/31/2022</default>
</input>
</fieldset>
<row>
<panel>
<title>$lpar$ $from$ $to$</title>
<chart>
<title>Shows the Average of each Service Class</title>
<search>
<query>index=mainframe-platform sourcetype="mainframe:serviceclass"
MVS_SYSTEM_ID=$lpar$
| eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d")
| eval _time=strptime(DATE." ","%Y-%m-%d")
| where _time >= strptime("$from$", "%m/%d/%Y") AND _time <= strptime("$to$", "%m/%d/%Y")
| chart avg(MIPS_UTIL) over DATE by SRVCLASS</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
<option name="charting.axisLabelsY.majorUnit">200</option>
<option name="charting.axisTitleX.text">Dates</option>
<option name="charting.axisY.minimumNumber">0</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">D7X0WGHT,H7X0WGHT,D1D0WGHT,DAD0WGHT,E1D0WGHT,H1D0WGHT,WSYSWGHT,YSYSWGHT</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">top</option>
<option name="height">468</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>
I tried that and also this version on a table panel but both instances gave the same "NULL" result.
Was wondering if there was a way to code it within the source to condition each of the values to the desired outcome.
The only downside would that if someone else works on the code might not be able to figure it out. But I can work that out through documentation if this would be possible. Will continue my search with this kind of a method.
index=mainframe-platform sourcetype="mainframe:serviceclass"
MVS_SYSTEM_ID=$lpar$
| eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d")
| eval _time=strptime(DATE." ","%Y-%m-%d")
| where _time >= strptime("$from$", "%m/%d/%Y") AND _time <= strptime("$to$", "%m/%d/%Y")
| eval SRVCLASS=$lpar$." - ".SRVCLASS
| chart sum(MIPS_UTIL) over DATE by SRVCLASS
